{"id":"https://openalex.org/W7148297146","doi":"https://doi.org/10.48550/arxiv.2604.00702","title":"Enhancing REST API Fuzzing with Access Policy Violation Checks and Injection Attacks","display_name":"Enhancing REST API Fuzzing with Access Policy Violation Checks and Injection Attacks","publication_year":2026,"publication_date":"2026-04-01","ids":{"openalex":"https://openalex.org/W7148297146","doi":"https://doi.org/10.48550/arxiv.2604.00702"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.00702","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.00702","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.00702","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5107955172","display_name":"\u00d6m\u00fcr \u015eahin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Sahin, Omur","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5132814219","display_name":"Man Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Man","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5052735480","display_name":"Andrea Arcuri","orcid":"https://orcid.org/0000-0003-0799-2930"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Arcuri, Andrea","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.6263999938964844,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.6263999938964844,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.20499999821186066,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.06159999966621399,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.9678999781608582},{"id":"https://openalex.org/keywords/rest","display_name":"Rest (music)","score":0.6450999975204468},{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.49729999899864197},{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.4896000027656555},{"id":"https://openalex.org/keywords/security-testing","display_name":"Security testing","score":0.46880000829696655},{"id":"https://openalex.org/keywords/session","display_name":"Session (web analytics)","score":0.44940000772476196},{"id":"https://openalex.org/keywords/python","display_name":"Python (programming language)","score":0.41679999232292175},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.38040000200271606}],"concepts":[{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.9678999781608582},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8511999845504761},{"id":"https://openalex.org/C77265313","wikidata":"https://www.wikidata.org/wiki/Q879844","display_name":"Rest (music)","level":2,"score":0.6450999975204468},{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.49729999899864197},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.4896000027656555},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.46880000829696655},{"id":"https://openalex.org/C2779182362","wikidata":"https://www.wikidata.org/wiki/Q17126187","display_name":"Session (web analytics)","level":2,"score":0.44940000772476196},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.42399999499320984},{"id":"https://openalex.org/C519991488","wikidata":"https://www.wikidata.org/wiki/Q28865","display_name":"Python (programming language)","level":2,"score":0.41679999232292175},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.3926999866962433},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.38040000200271606},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.359499990940094},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.31859999895095825},{"id":"https://openalex.org/C150451098","wikidata":"https://www.wikidata.org/wiki/Q506059","display_name":"SQL injection","level":5,"score":0.3167000114917755},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.3052000105381012},{"id":"https://openalex.org/C148027188","wikidata":"https://www.wikidata.org/wiki/Q907375","display_name":"Unit testing","level":3,"score":0.27639999985694885},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.2736999988555908},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.2662000060081482},{"id":"https://openalex.org/C128942645","wikidata":"https://www.wikidata.org/wiki/Q1568346","display_name":"Test case","level":3,"score":0.262800008058548},{"id":"https://openalex.org/C2777407602","wikidata":"https://www.wikidata.org/wiki/Q1888932","display_name":"Mandatory access control","level":4,"score":0.26179999113082886},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.25929999351501465},{"id":"https://openalex.org/C2775928411","wikidata":"https://www.wikidata.org/wiki/Q2041312","display_name":"Fault injection","level":3,"score":0.2590000033378601},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.25060001015663147}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.00702","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.00702","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.00702","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.00702","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[{"score":0.6158683896064758,"id":"https://metadata.un.org/sdg/9","display_name":"Industry, innovation and infrastructure"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Due":[0],"to":[1,15,106,122,204],"their":[2,195],"widespread":[3],"use":[4],"in":[5,12,67,92,127,198,208],"industry,":[6],"several":[7,209],"techniques":[8,140],"have":[9,24,41],"been":[10,25],"proposed":[11],"the":[13,95,175],"literature":[14],"fuzz":[16],"REST":[17,22,68,153,165,172],"APIs.":[18,154,187,212],"Existing":[19],"fuzzers":[20],"for":[21,152,181],"APIs":[23,166,173],"focusing":[26],"on":[27,45,159],"detecting":[28,62],"crashes":[29],"(e.g.,":[30],"500":[31],"HTTP":[32],"server":[33],"error":[34],"status":[35],"code).":[36],"However,":[37],"security":[38,112,206],"vulnerabilities":[39],"can":[40,86,202],"major":[42],"drastic":[43],"consequences":[44],"existing":[46,90],"cloud":[47],"infrastructures.":[48],"In":[49],"this":[50],"paper,":[51],"we":[52],"propose":[53],"a":[54,100,111,148,182,199],"series":[55],"of":[56,64,146,184,210],"novel":[57,83,139,192],"automated":[58,84,196],"oracles":[59,85,193],"aimed":[60],"at":[61],"violations":[63],"access":[65],"policies":[66],"APIs,":[69],"as":[70,72,77,116,143],"well":[71],"executing":[73],"traditional":[74],"attacks":[75],"such":[76],"SQL":[78],"Injection":[79],"and":[80,134,170,194],"XSS.":[81],"These":[82],"be":[87],"integrated":[88,142],"into":[89],"fuzzers,":[91],"which,":[93],"once":[94],"fuzzing":[96,200],"session":[97],"is":[98,104,114,120],"completed,":[99],"``security":[101],"testing''":[102],"phase":[103],"executed":[105],"verify":[107],"these":[108,211],"oracles.":[109],"When":[110],"fault":[113],"detected,":[115],"output":[117],"our":[118,191],"technique":[119],"able":[121],"general":[123],"executable":[124],"test":[125,136],"cases":[126],"different":[128],"formats,":[129],"like":[130],"Java,":[131],"Kotlin,":[132],"Python":[133],"JavaScript":[135],"suites.":[137],"Our":[138],"are":[141,156],"an":[144],"extension":[145],"EvoMaster,":[147],"state-of-the-art":[149],"open-source":[150],"fuzzer":[151],"Experiments":[155],"carried":[157],"out":[158],"9":[160],"artificial":[161],"examples,":[162],"8":[163],"vulnerable-by-design":[164],"with":[167,178],"black-box":[168],"testing,":[169,180],"36":[171],"from":[174],"WFD":[176],"corpus":[177],"white-box":[179],"total":[183],"52":[185],"distinct":[186],"Results":[188],"show":[189],"that":[190],"integration":[197],"process":[201],"lead":[203],"detect":[205],"issues":[207]},"counts_by_year":[],"updated_date":"2026-07-01T08:55:40.977307","created_date":"2026-04-03T00:00:00"}
